X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/75a333539929f12b465071f9203f58f2eacd5f3f..de9e7da35a337aa9b0ccca35bd564cf069d0d67d:/doc/plugins/contrib/comments.mdwn diff --git a/doc/plugins/contrib/comments.mdwn b/doc/plugins/contrib/comments.mdwn index 2e501995f..1a6e7f465 100644 --- a/doc/plugins/contrib/comments.mdwn +++ b/doc/plugins/contrib/comments.mdwn @@ -1,4 +1,4 @@ -[[!template id=plugin name=postcomment author="[[Simon_McVittie|smcv]]"]] +[[!template id=plugin name=comments author="[[Simon_McVittie|smcv]]"]] [[!tag type/useful]] This plugin adds "blog-style" comments. The intention is that on a non-wiki site @@ -23,10 +23,82 @@ only by direct committers. Currently, comments are always in [[ikiwiki/markdown] >> admins (~= git committers) and possibly the commenter (who we can't check for >> at the moment anyway, I don't think?) to be able to edit comments - I think >> user expectations for something that looks like ordinary blog comments are ->> likely to include "others can't put words into my mouth". --[[smcv]] - -Directives and raw HTML are filtered out by default, and comment authorship should -hopefully be unforgeable by CGI users. +>> likely to include "others can't put words into my mouth". +>> +>> My other objection to using a namespace is that I'm not particularly happy about +>> plugins consuming arbitrary pieces of the wiki namespace - /discussion is bad +>> enough already. Indeed, this very page would accidentally get matched by rules +>> aiming to control comment-posting... :-) --[[smcv]] + +>> Thinking about it, perhaps one way to address this would be to have the suffix +>> (e.g. whether commenting on Sandbox creates sandbox/comment1 or sandbox/c1 or +>> what) be configurable by the wiki admin, in the same way that recentchanges has +>> recentchangespage => 'recentchanges'? I'd like to see fewer hard-coded page +>> names in general, really - it seems odd to me that shortcuts and smileys +>> hard-code the name of the page to look at. Perhaps I could add +>> discussionpage => 'discussion' too? --[[smcv]] + +>> (I've now implemented this in my branch. --[[smcv]]) + +>> The best reason to keep the pages internal seems to me to be that you +>> don't want the overhead of every comment spawning its own wiki page. +>> The worst problem with it though is that you have to assume the pages +>> are mdwn (or `default_pageext`) and not support other formats. --[[Joey]] + +>> Well, you could always have `comment1._mdwn`, `comment2._creole` etc. and +>> alter the htmlize logic so that the `mdwn` hook is called for both `mdwn` +>> and `_mdwn` (assuming this is not already the case). I'm not convinced +>> that multi-format comments are a killer feature, though - part of the point +>> of this plugin, in my mind, is that it's less flexible than the full power +>> of ikiwiki and gives users fewer options. This could be construed +>> to be a feature, for people who don't care how flexible the technology is +>> and just want a simple way to leave a comment. The FormattingHelp page +>> assumes you're writing 100% Markdown in any case... +>> +>> Internal pages do too many things, perhaps: they suppress generation of +>> HTML pages, they disable editing over the web, and they have a different +>> namespace of htmlize hooks. I think the first two of those are useful +>> for this plugin, and the last is harmless; you seem to think the first +>> is useful, and the other two are harmful. --[[smcv]] + +>> By the way, I think that who can post comments should be controllable by +>> the existing plugins opendiscussion, anonok, signinedit, and lockedit. Allowing +>> posting comments w/o any login, while a nice capability, can lead to +>> spam problems. So, use `check_canedit` as at least a first-level check? +>> --[[Joey]] + +>> This plugin already uses `check_canedit`, but that function doesn't have a concept +>> of different actions. The hack I use is that when a user comments on, say, sandbox, +>> I call `check_canedit` for the pseudo-page "sandbox[postcomment]". The +>> special `postcomment(glob)` [[ikiwiki/pagespec]] returns true if the page ends with +>> "[postcomment]" and the part before (e.g. sandbox) matches the glob. So, you can +>> have postcomment(blog/*) or something. (Perhaps instead of taking a glob, postcomment +>> should take a pagespec, so you can have postcomment(link(tags/commentable))?) +>> +>> This is why `anonok_pages => 'postcomment(*)'` and `locked_pages => '!postcomment(*)'` +>> are necessary to allow anonymous and logged-in editing (respectively). +>> +>> This is ugly - one alternative would be to add `check_permission()` that takes a +>> page and a verb (create, edit, rename, remove and maybe comment are the ones I +>> can think of so far), use that, and port the plugins you mentioned to use that +>> API too. This plugin could either call `check_can("$page/comment1", 'create')` or +>> call `check_can($page, 'comment')`. +>> +>> One odd effect of the code structure I've used is that we check for the ability to +>> create the page before we actually know what page name we're going to use - when +>> posting the comment I just increment a number until I reach an unused one - so +>> either the code needs restructuring, or the permission check for 'create' would +>> always be for 'comment1' and never 'comment123'. --[[smcv]] + +>> Another possibility is to just check for permission to edit (e.g.) `sandbox/comment1`. +>> However, this makes the "comments can only be created, not edited" feature completely +>> reliant on the fact that internal pages can't be edited. Perhaps there should be a +>> `editable_pages` pagespec, defaulting to `'*'`? + +When using this plugin, you should also enable [[htmlscrubber]] and either [[htmltidy]] +or [[htmlbalance]]. Directives are filtered out by default, to avoid commenters slowing +down the wiki by causing time-consuming processing. As long as the recommended plugins +are enabled, comment authorship should hopefully be unforgeable by CGI users. > I'm not sure that raw html should be a problem, as long as the > htmlsanitizer and htmlbalanced plugins are enabled. I can see filtering @@ -37,12 +109,28 @@ hopefully be unforgeable by CGI users. >> I was initially wary of allowing meta directives, but I think those are OK, as long >> as the comment template puts the \[[!meta author]] at the *end*. Disallowing >> directives is more a way to avoid commenters causing expensive processing than ->> anything else, at this point. --[[smcv]] +>> anything else, at this point. +>> +>> I've rebased the plugin on master, made it sanitize individual posts' content +>> and removed the option to disallow raw HTML. Sanitizing individual posts before +>> they've been htmlized required me to preserve whitespace in the htmlbalance +>> plugin, so I did that. Alternatively, we could htmlize immediately and always +>> save out raw HTML? --[[smcv]] + +>> There might be some use cases for other directives, such as img, in +>> comments. +>> +>> I don't know if meta is "safe" (ie, guaranteed to be inexpensive and not +>> allow users to do annoying things) or if it will continue to be in the +>> future. Hard to predict really, all that can be said with certainty is +>> all directives will contine to be inexpensive and safe enough that it's +>> sensible to allow users to (ab)use them on open wikis. +>> --[[Joey]] When comments have been enabled generally, you still need to mark which pages -can have comments, by including the `\[[!postcomment]]` directive in them. By default, +can have comments, by including the `\[[!comments]]` directive in them. By default, this directive expands to a "post a comment" link plus an `\[[!inline]]` with -the comments. +the comments. [This requirement has now been removed --[[smcv]]] > I don't like this, because it's hard to explain to someone why they have > to insert this into every post to their blog. Seems that the model used @@ -55,11 +143,34 @@ the comments. >> Then control freaks like me could use "link(tags/comments)" and tag pages >> as allowing comments. >> +>>> Yes, I think a pagespec is the way to go. --[[Joey]] + +>>> Implemented --[[smcv]] + +>> >> The model used for discussion pages does require patching the existing >> page template, which I was trying to avoid - I'm not convinced that having >> every possible feature hard-coded there really scales (and obviously it's >> rather annoying while this plugin is on a branch). --[[smcv]] +>>> Using the template would allow customising the html around the comments +>>> which seems like a good thing? --[[Joey]] + +>>> The \[[!comments]] directive is already template-friendly - it expands to +>>> the contents of the template `comments_embed.tmpl`, possibly with the +>>> result of an \[[!inline]] appended. I should change `comments_embed.tmpl` +>>> so it uses a template variable `INLINE` for the inline result rather than +>>> having the perl code concatenate it, which would allow a bit more +>>> customization (whether the "post" link was before or after the inline). +>>> Even if you want comments in page.tmpl, keeping the separate comments_embed.tmpl +>>> and having a `COMMENTS` variable in page.tmpl might be the way forward, +>>> since the smaller each templates is, the easier it will be for users +>>> to maintain a patched set of templates. (I think so, anyway, based on what happens +>>> with dpkg prompts in Debian packages with monolithic vs split +>>> conffiles.) --[[smcv]] + +>>> I've switched my branch to use page.tmpl instead; see what you think? --[[smcv]] + The plugin adds a new [[ikiwiki/PageSpec]] match type, `postcomment`, for use with `anonok_pagespec` from the [[plugins/anonok]] plugin or `locked_pages` from the [[plugins/lockedit]] plugin. Typical usage would be something like: @@ -72,21 +183,26 @@ to allow non-admin users to comment on pages, but not edit anything. You can als to allow anonymous comments (the IP address will be used as the "author"). -Optional parameters to the postcomment directive: +> This is still called postcomment, although I've renamed the rest of the plugin +> to comments as suggested on #ikiwiki --[[smcv]] -* `commit=no`: by default, comments are committed to version control. Use this to - disable commits. -* `allowhtml=yes`: by default, raw HTML is filtered out. Use this to allow HTML - (you should enable [[plugins/htmlscrubber]] and either [[plugins/htmltidy]] or - [[plugins/contrib/htmlbalance]] if you do this). -* `allowdirectives=yes`: by default, IkiWiki directives are filtered out. Use this - to allow directives (avoid enabling any [[plugins/type/slow]] directives if you - do this). -* `closed=yes`: use this to prevent new comments while still displaying existing ones. -* `atom`, `rss`, `feeds`, `feedshow`, `timeformat`, `feedonly`: the same as for [[plugins/inline]] +There are some global options for the setup file: + +* comments_shown_pagespec: pages where comments will be displayed inline, e.g. `blog/*` + or `*/discussion`. +* comments_open_pagespec: pages where new comments can be posted, e.g. + `blog/* and created_after(close_old_comments)` or `*/discussion` +* comments_pagename: if this is e.g. `comment_` (the default), then comments on the + [[sandbox]] will be called something like `sandbox/comment_12` +* comments_allowdirectives: if true (default false), comments may contain IkiWiki + directives +* comments_commit: if true (default true), comments will be committed to the version + control system This plugin aims to close the [[todo]] item "[[todo/supporting_comments_via_disussion_pages]]", -and is currently available from [[smcv]]'s git repository on git.pseudorandom.co.uk. +and is currently available from [[smcv]]'s git repository on git.pseudorandom.co.uk (it's the +`postcomment` branch). A demo wiki with the plugin enabled is running at +. Known issues: @@ -94,10 +210,15 @@ Known issues: * The access control via postcomment() is rather strange * There is some common code cargo-culted from other plugins (notably inline and editpage) which should probably be shared -* If the postcomment directive is removed from a page, comments can still be made on that page, - and will be committed but not displayed; to disable comments properly you have to set the - closed="yes" directive parameter (and refresh the wiki), *then* remove the directive if - desired > I haven't done a detailed code review, but I will say I'm pleased you > avoided re-implementing inline! --[[Joey]] + +Wishlist: + +* tbm would like anonymous people to be able to enter their name and possibly email + address +* smcv would like an indication of who you're posting as / the ability to log in + as someone else (even if anonymous comments are allowed, it'd be nice to be + able to choose to log in with a username or OpenID, like in Livejournal); + perhaps editpage needs this too